Download as
Browse Code »

Commit 3ecd98a31bdb7af32f5c994f644d2c99e9edc9c8

Authored by Carlos Purificação
1 parent 83da31b0
Exists in master and in 8 other branches avoid_duplicated_tasks, proposal_response, proposal_task_category, proposal_task_category_required, remove_escaped_html, restore_rejected_proposal, staging, tasks_keep_filter_params

Added sanitize to api/proposal

Showing 2 changed files with 21 additions and 2 deletions   Show diff stats
lib/proposals_discussion_plugin/api.rb
  Diff comments   View file @3ecd98a
1 1 class ProposalsDiscussionPlugin::API < Grape::API
2 2  
  3 +
3 4 resource :proposals_discussion_plugin do
4 5  
5 6 paginate per_page: 10, max_per_page: 20
... ... @@ -23,6 +24,8 @@ class ProposalsDiscussionPlugin::API &lt; Grape::API
23 24 end
24 25  
25 26 post ':id/propose' do
  27 + sanitize_params_hash(params)
  28 +
26 29 parent_article = environment.articles.find(params[:id])
27 30  
28 31 proposal_task = ProposalsDiscussionPlugin::ProposalTask.new
... ... @@ -37,7 +40,5 @@ class ProposalsDiscussionPlugin::API &lt; Grape::API
37 40 {:success => true}
38 41 #present proposal_task, :with => Entities::Task, :fields => params[:fields]
39 42 end
40   -
41 43 end
42   -
43 44 end
... ...
test/unit/api_test.rb
  Diff comments   View file @3ecd98a
... ... @@ -45,4 +45,22 @@ class APITest &lt; ActiveSupport::TestCase
45 45 assert json['success']
46 46 end
47 47  
  48 + should 'sanitize proposal' do
  49 + discussion = fast_create(ProposalsDiscussionPlugin::Discussion, :profile_id => user.person.id)
  50 + topic = fast_create(ProposalsDiscussionPlugin::Topic,
  51 + :profile_id => user.person.id,
  52 + :parent_id => discussion.id)
  53 + params[:article] = {:name => "Proposal name", :abstract => "Proposal <iframe>Test</iframe> abstract",
  54 + :type => 'ProposalsDiscussionPlugin::Proposal',
  55 + :body => "This is a malicious body <iMg SrC=x OnErRoR=document.documentElement.innerHTML=1>SearchParam"}
  56 + assert_difference "ProposalsDiscussionPlugin::ProposalTask.count" do
  57 + post "/api/v1/proposals_discussion_plugin/#{topic.id}/propose?#{params.to_query}"
  58 + end
  59 + json = JSON.parse(last_response.body)
  60 + assert json['success']
  61 + task = Task.last
  62 + assert_equal "Proposal Test abstract", task.abstract
  63 + assert_equal "This is a malicious body SearchParam", task.article.body
  64 + end
  65 +
48 66 end
... ...